add tls proxy

Author: kariy

.katana/tls/cert.pem

@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBZDCCAQqgAwIBAgIUEnUejjrDt8sswv9NtxzVTTTAwIowCgYIKoZIzj0EAwIw
+ITEfMB0GA1UEAwwWcmNnZW4gc2VsZiBzaWduZWQgY2VydDAgFw03NTAxMDEwMDAw
+MDBaGA80MDk2MDEwMTAwMDAwMFowITEfMB0GA1UEAwwWcmNnZW4gc2VsZiBzaWdu
+ZWQgY2VydDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBHonFxLBX1vkZUkZDU7
+x2mSBOx1CDfPnfVEbAF34v/FVYgHdlgNTamW/yOtF7PD18QuX/w8Y6uhjCQdWIhm
+J7mjHjAcMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATAKBggqhkjOPQQDAgNI
+ADBFAiEAs+RsjJzmR0l4fSM8iFJwh7iMAO+XPI+UuXlOlIksdtUCIDUWrAkteEDd
+qVy9fYUXVEs3C4NCgwheMWx+Ou2KnQ2r
+-----END CERTIFICATE-----

.katana/tls/key.pem

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgCgYPu3crCGNMbpIB
+8IsC9riM7bZAi8D8Iszr+0UuUxihRANCAAQR6JxcSwV9b5GVJGQ1O8dpkgTsdQg3
+z531RGwBd+L/xVWIB3ZYDU2plv8jrRezw9fELl/8PGOroYwkHViIZie5
+-----END PRIVATE KEY-----

Cargo.lock

@@ -178,8 +178,12 @@ bytes = "1.10"
 http = "1.3"
 http-body = "1.0"
 hyper = "0.14.27"
+hyper-util = { version = "0.1", features = ["client", "client-legacy", "http1", "tokio"] }
 jsonrpsee = { version = "0.25", default-features = false }
-rustls = "0.23"
+rcgen = "0.13"
+rustls = { version = "0.23", features = ["ring"] }
+rustls-pemfile = "2.2"
+tokio-rustls = { version = "0.26", features = ["ring"] }
 tower = "0.5"
 tower-http = { version = "0.6", features = [ "trace", "cors", "timeout" ] }
 tower-service = "0.3"

Cargo.toml

@@ -263,6 +263,42 @@ impl SequencerNodeArgs {
 
             let cors_origins = self.server.http_cors_origins.clone();
 
+            // Build TLS config
+            let tls = if let (Some(cert_path), Some(key_path)) =
+                (&self.server.tls_cert, &self.server.tls_key)
+            {
+                // Use explicitly provided certificate paths
+                Some(katana_node::config::rpc::TlsConfig {
+                    cert_path: cert_path.clone(),
+                    key_path: key_path.clone(),
+                    is_self_signed: false,
+                })
+            } else if self.server.https {
+                // Auto-generate self-signed certificate for development
+                let tls_dir = std::path::PathBuf::from(".katana/tls");
+
+                // Check if certificates already exist
+                let cert_path = tls_dir.join("cert.pem");
+                let key_path = tls_dir.join("key.pem");
+
+                if cert_path.exists() && key_path.exists() {
+                    info!(target: LOG_TARGET, "Using existing self-signed certificates from .katana/tls/");
+                } else {
+                    info!(target: LOG_TARGET, "Generating self-signed certificates for HTTPS...");
+                    let (cert, key) = katana_rpc_server::tls::generate_self_signed_cert(&tls_dir)
+                        .context("failed to generate self-signed certificates")?;
+                    info!(target: LOG_TARGET, cert = %cert.display(), key = %key.display(), "Self-signed certificates generated");
+                }
+
+                Some(katana_node::config::rpc::TlsConfig {
+                    cert_path,
+                    key_path,
+                    is_self_signed: true,
+                })
+            } else {
+                None
+            };
+
             Ok(RpcConfig {
                 apis: modules,
                 port: self.server.http_port,
@@ -278,6 +314,7 @@ impl SequencerNodeArgs {
                 max_event_page_size: Some(self.server.max_event_page_size),
                 max_proof_keys: Some(self.server.max_proof_keys),
                 max_call_gas: Some(self.server.max_call_gas),
+                tls,
             })
         }
 

crates/cli/src/args.rs

@@ -10,6 +10,7 @@
 #[cfg(feature = "server")]
 use std::net::IpAddr;
 use std::num::NonZeroU128;
+use std::path::PathBuf;
 
 use clap::Args;
 use katana_genesis::Genesis;
@@ -188,6 +189,29 @@ pub struct ServerOptions {
     #[arg(default_value_t = DEFAULT_RPC_MAX_CALL_GAS)]
     #[serde(default = "default_max_call_gas")]
     pub max_call_gas: u64,
+
+    /// Enable HTTPS with auto-generated self-signed certificates.
+    ///
+    /// When this flag is set, Katana will automatically generate a self-signed certificate
+    /// and private key for development purposes. The certificates will be stored in the
+    /// `.katana/tls` directory.
+    ///
+    /// Note: This is for development only. For production, use `--http.tls-cert` and
+    /// `--http.tls-key` with proper certificates from a trusted CA.
+    #[arg(long = "https")]
+    #[arg(conflicts_with_all = ["tls_cert", "tls_key"])]
+    #[serde(default)]
+    pub https: bool,
+
+    /// Path to TLS certificate file (PEM format) for HTTPS.
+    #[arg(long = "http.tls-cert", value_name = "PATH")]
+    #[arg(requires = "tls_key")]
+    pub tls_cert: Option<PathBuf>,
+
+    /// Path to TLS private key file (PEM format) for HTTPS.
+    #[arg(long = "http.tls-key", value_name = "PATH")]
+    #[arg(requires = "tls_cert")]
+    pub tls_key: Option<PathBuf>,
 }
 
 #[cfg(feature = "server")]
@@ -205,6 +229,9 @@ impl Default for ServerOptions {
             max_response_body_size: None,
             timeout: None,
             max_call_gas: DEFAULT_RPC_MAX_CALL_GAS,
+            https: false,
+            tls_cert: None,
+            tls_key: None,
         }
     }
 }
@@ -246,6 +273,15 @@ impl ServerOptions {
             if self.max_call_gas == DEFAULT_RPC_MAX_CALL_GAS {
                 self.max_call_gas = other.max_call_gas;
             }
+            if !self.https {
+                self.https = other.https;
+            }
+            if self.tls_cert.is_none() {
+                self.tls_cert = other.tls_cert.clone();
+            }
+            if self.tls_key.is_none() {
+                self.tls_key = other.tls_key.clone();
+            }
         }
     }
 }

crates/cli/src/options.rs

@@ -1,5 +1,6 @@
 use std::collections::HashSet;
 use std::net::{IpAddr, Ipv4Addr, SocketAddr};
+use std::path::PathBuf;
 use std::time::Duration;
 
 use katana_rpc_server::cors::HeaderValue;
@@ -36,6 +37,17 @@ pub enum RpcModuleKind {
     Cartridge,
 }
 
+/// TLS configuration for HTTPS support.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct TlsConfig {
+    /// Path to the TLS certificate file (PEM format).
+    pub cert_path: PathBuf,
+    /// Path to the TLS private key file (PEM format).
+    pub key_path: PathBuf,
+    /// Whether this is using auto-generated self-signed certificates.
+    pub is_self_signed: bool,
+}
+
 /// Configuration for the RPC server.
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub struct RpcConfig {
@@ -53,6 +65,8 @@ pub struct RpcConfig {
     pub max_proof_keys: Option<u64>,
     pub max_event_page_size: Option<u64>,
     pub max_call_gas: Option<u64>,
+    /// TLS configuration for HTTPS support (optional).
+    pub tls: Option<TlsConfig>,
 }
 
 impl RpcConfig {
@@ -79,6 +93,7 @@ impl Default for RpcConfig {
             max_event_page_size: Some(DEFAULT_RPC_MAX_EVENT_PAGE_SIZE),
             max_proof_keys: Some(DEFAULT_RPC_MAX_PROOF_KEYS),
             max_call_gas: Some(DEFAULT_RPC_MAX_CALL_GAS),
+            tls: None,
         }
     }
 }

crates/node/src/config/rpc.rs

@@ -326,6 +326,18 @@ impl Node {
             rpc_server = rpc_server.max_response_body_size(max_response_body_size);
         }
 
+        if let Some(ref tls_config) = config.rpc.tls {
+            let tls = if tls_config.is_self_signed {
+                katana_rpc_server::tls::TlsConfig::new_self_signed(
+                    &tls_config.cert_path,
+                    &tls_config.key_path,
+                )
+            } else {
+                katana_rpc_server::tls::TlsConfig::new(&tls_config.cert_path, &tls_config.key_path)
+            };
+            rpc_server = rpc_server.tls(tls);
+        }
+
         // --- build feeder gateway server (optional)
 
         let gateway_server = if let Some(gw_config) = &config.gateway {

crates/node/src/lib.rs

@@ -28,12 +28,17 @@ anyhow.workspace = true
 auto_impl.workspace = true
 futures.workspace = true
 http.workspace = true
+hyper.workspace = true
 jsonrpsee = { workspace = true, features = [ "client", "server" ] }
 metrics.workspace = true
+rcgen.workspace = true
+rustls = {workspace = true,  features = [ "ring"]}
+rustls-pemfile.workspace = true
 serde_json.workspace = true
 starknet = { workspace = true, optional = true }
 thiserror.workspace = true
 tokio.workspace = true
+tokio-rustls = {workspace = true, features = [ "ring"]}
 tower.workspace = true
 tower-http = { workspace = true, features = [ "cors", "trace" ] }
 tracing.workspace = true